Document transcript

Weknow how to build secure systems butforsecuritymeasures to betrulyeffective

itis necessary to use keys whichare far too large for people to commit to memory.Theconsequence is thatpeople

avoid using security measures orthey resort to recording their key information somewherewhich they find convenient to access. If any kind of barrier tounauthorised accessto this storeis used, it isinvariablyausername and short password or PIN

combination. This

compromises the effectiveness ofprimaryschemesbypresenting anintruder with a weak point to attack.

it can usekeys which are long enough tobe effective, yet it is alsoquickand convenient in use and could be adopted anywhere thatpresently uses username-password arrangements.

1.

Introduction

The effectiveness of any securityscheme(encryption, signing,access control) depends on the length of the keys which areused. Advances in techniques and widespread availability ofpowerful computers means that

today

these keys must beconsiderably longer than people are able or willing to committo memory.

The result is that manysecuritysystems usekeyswhich are too short to beeffective

because users have to becapable and willing to memorise them. Where the keys usedare big enough

to be effective, usersresortto recording

thisvital information because they can’t remember it.Unfortunately the methods they use are rarely secure andpresent

ideal opportunitiesfor intruders to attack.

We need an alternative to the ubiquitoususername-password style of access control whichwillpermitthe adoption ofmuch larger encryption keys without imposingexcessive load on the users. There are number of possibilitiesbut none in isolation provides asatisfactory

solution.Wedescribe a composite system which uses acombination of abiometric and an electronic token to provide a system which

avoids the problems of using either alone and is much moresecure that a typical username-password system.Theapproachis easy to implement, non-intrusive and usescheapand widely

available technologies.

It could be implementedon a wide

scale basis to improve the security of web-basedtransactions such as e-Banking and e-Commerce.

2.

Weaknesses

ofCurrent approaches

How to build secure systems and applications

is wellunderstood and documented. For example,Triple DES, RSAor Blowfish

can be highly effectivefor secure communication

[5]. However, none of these schemes is effective unlessthekeysused are long enough.As computers and computingtechniques have progressedthekeys used haveneeded togrowto the point where

128bit numbers are

common. Suchnumbers are far beyond what people could reasonably beexpected to commit to memory so they are

another means ofuser authentication, andthis is where theproblem lies: despitesignificant developments in alternativesystems, the username-password approach to authenticationremains widely used[2]. The same applies to access controlwhether it be for gaining access to a particular item ofequipment such as a computer workstation or a secure systemsuch as online trading or banking. The control mechanism isinvariably some variation of username-password.

when it isalready too late.The PIN system beingwidelyadopted forcredit card authorisations is a good example

but the sameapplies for all kinds of secure access arrangements, includingonline banking and other secure services. In the case of creditcards, the PIN is a four digit number so there areat most10,000 possibilities and

now thatcard holders

are able to selfselecttheir PIN,it is likely that a few hundreds of numbersaccount for the

huge majority of PINs

in use.

To address this issue, we need

to break the link betweenthe size of the key and the ability of users to remember: weneed aform of user identification and authentication whichdoesn’t rely on the user’s memory. One possibility iselectronic tokens. These can bestored on removable mediasuch as a smart cards

(or USB“pendrives”)[11]

and operatejust like everyday physical keys.

Authentication is achievedby the user being able to produce the necessarytoken.Thistechniqueimposesa physical barrier tointruders:access isdeniedunless the

user

can produce thetoken.

Theuserdoesn’t

need to remember anything and thelevel of security availableis determined by the nature of the token. Making such asystem more secure requires more sophisticatedtokens

and(software)locks but has no impact on the user.However

ithasweaknesses of its own. Notably, nothinglinks

the userto theirtoken

so anintruderwho is able to steal atoken(i.e.,the mediaon whichit is stored) is immediately afforded the same level ofaccess asthe rightfuluser of the key.Unfortunately, itisafeature of human users

thatthey dolosesuch tokens

from timeto timein the same way that they lose other keys

and valuableitems.

We are all unique

soanother alternative to theuser-password system is biometrics. A biometric is a measureof

any of the many features

which can be used to identify aperson.Well known examples include finger prints and irisrecognition

but there are many others

and there are establishedcriteria by which biological measurements qualify as abiometric[8].

Systems which use biometrics operate in twophases.

First,

the distinguishing features of a user’s biometricare extracted and

a template created.Then,or verification, the

biometric data

is captured again andcompared withone ormorestoredtemplates

to find a match

[6].

It has beensuggested that a user’s key could be derived from a biometric[3].

Using biometricshas manyattractions

and theyenjoyadvantages

whicharise from the fact that they area feature ofwho we are, not what we know or what we have in ourpossession.They are difficult to forge, there isnothing for theuser to remember

andthere isno simple way to borrow or steala biometric.

However, they have weaknesses too.Theextraction of biometric data using commonly available systemsis not exact. As a result, if a user’s key were derived fromtheir biometricdata it is unlikely theuser would be able torecreatetheir

keyreliably.

Ironicallytoo,the very fact thatthey are anintrinsicpart ofwho we arealsoleads

totheirbiggest problem:should a biometric

or a key which is derivedfrom it

be compromised, there is no equivalent of renewingpasswords or

changinglocks.

3.

Constructing a hybrid approach

A replacement for current username-password systems isneeded and two possible alternatives have been describedabove

but each has drawbacks. In the case ofelectronictokens,they are not tied to the user so the obligation for a

userto remember their password and keep it safe istransformedintoan obligation to keep the token safe since system access isafforded to anyone who is able to produce a valid token (atleastuntil the loss isdiscovered).

For biometrics, problemsarise fromthe difficulty of dealing with compromise

becauseof the very feature which makes them so attractive: a biometricis a property of the individual. You can’t change or replace auser’s biometric.

Our system combinesthese two systemsina way whichaddresses these drawbacks. The template against which theuser’s biometric is validated is encrypted. It is then dividedinto two parts. One is recorded on electronicmedia as part ofthe user’stoken and the other is retained inside

the securedsystem. In place of a key generated directly from the user’sbiometric we use a key which is generated independently.This is also encrypted, split and stored inthe same twolocations.

The division and separate storage of the encryptedbiometric template and user key mean that an intruder whosteals the media is unable to extract either the user’s key or thetemplate for their biometric as they only have part of theinformation. The same is true for an intruder who manages tocompromise the repository of the secured system.

In the event of loss of the token, it can be invalidated byremoval of the matching records within the secured system anda replacement generated for the user. The

replacement tokenwill again be tied to the user. As before it will comprise partsof the users encrypted biometric template and their new keybut, not only will the users key itself be different, the key usedto encrypt it and the template will also have changed.

4.

Operation of thesystem

There are two distinct activities involved in using the system.The firstis enrolment whichinvolves the capture of the user’sbiometric and generation of their electronictoken.Once auser has been enrolled, they

may then present their token andbiometric when authorisation is required.

4.1.

Enrolment

The user performs anenrolmentsimilar to

that of

a standardbiometric system: theypresent their biometric data a numberof timesfrom which a standard commercialsystemgeneratesatemplate against whichlater reading of thebiometricmay bevalidated.

Thesystem then secures this data and creates the user’selectronic key. The user’s biometric template is encrypted

using a key derived froma variety of factors, includingtheserial number of the media onto which it will be placed.Theuser’s key is thenencrypted using a key which isagainderivedfroma number of factors which includethe cipher text of theuser’s biometric template. The resulting two pieces of ciphertext are then divided. One portion of each is saved onto theremovable media as user’s electronic token and the remainderis stored in a secure location within the

protected system. SeeFigure1.

The algorithms selected to generate the encryption keysand the division of the cipher should ensure that an intrudercannot regenerate the keys easily and that neither portion ofthedivided text contains all of the information required todecode the template or key. Ideally these algorithms should bekept secret.

The user key used will depend on the details of how thesystem is

being used. For example, if the system is used forsigning onto an online system (such as online banking), thekey will be provided by or negotiated with the secured systemas part of the user sign-up procedure. It will take the formdemanded by the online system and be communicated in fullor in part

at authorisation

as demanded by the system. The keycan be made as long as the online system deems necessary andthe user need never seeit. Alternatively, as in thedemonstration system, the key could be used to unlockencrypteddata heldfor the user by the system (such asencryption keys allocated to them).

With this process complete, the user now has an

electronictoken/key which has been created for them on which part oftheir encrypted biometric template and part of their encryptedpersonal key is stored.

Without this electronic key, the systemcannot match their biometric, nor regenerate their personalkey.

4.2.

Authentication

When the user wishes to gain access to the securedsystem,they need to producetheirelectronic key

and the rightbiometric. SeeFigure2.

The

process works as follows:

1.

The system reads the serial number of the key mediaand uses

the algorithm to reconstruct the keyused to encryptthe biometric template.

2.

The encrypted biometric template is then reassembledfromthe part recovered from the key and thepart already heldwithinthe system. This template is thenpresented to thebiometric software.

3.

Thesoftware is then able to read the biometricpresented anddecide whether

it isa match

to the templateandsowhether to accept or

reject the user.

4.

Assuming the user’s biometricis accepted, the keyused to encrypt the user’s personal key can be regeneratedfrom the cipher text of the template. Using this key, the user’spersonal

key can then be extracted from the cipher textwhichis againreassembled from parts held on the electronic key andwithin the system.

5.

Now the secure system has the user’s personal keywhich, depending on the application, may be used directly bybeingpresented to another system or indirectly to encode orextract other sensitive data.

Tobuild a prototype, the firstdecision is to select anappropriate biometric (andhardware) and an appropriatetechnology for the electronic key.

For the biometric we selected a finger print system

for thefollowing reasons:



Fingerprints can

beread quickly andreliably usinginexpensive equipment.



It is notinvasive.



It is familiar and accepted by users.

The actual system used was‘Griaule FingerprintRecognition SDK’[7]

in conjunction with the MicrosoftFingerprint reader.

An inexpensive USB “pendrive” was used as a carrier forthe electronic key.

The user interface of the authentication processis shown inFigure3. This program uses our authentication scheme todecide whether to disclose (previously encrypted) data to auser or not. In the demonstration, a string previouslyencrypted using the users key is extractedand displayed if theusers electronic token and biometric are accepted. Theapplication alsodisplays

practical application, muchof the interface shownherewould be concealed and only the outcome would becommunicated to the user.We also anticipate the user beingprompted to insert their electronic key and place their fingeron the reader in similar style to the familiar request for username and password and prompted again to remove both beforethe authentication process is completed. The outcome (in theform of allowing or denying access)

would also becommunicated in theway that systems currently respond to theinput oftheusername-password pair.

Figure3: User interface of prototype system

Thissoftware

was

developedasa proof of concept

application. Ituses simple schemes for the separation of thecipher strings into parts, the derivation of the key forencryptingthe template from the media serial number and thederivation of the key for the encryption of the user key fromthe template cipher text. Much more sophisticated techniqueswhich use additional factors could be applied in a fullimplementation. However,this

software hasdemonstrated thatthe system works andprovided some useful insight into the useofthis type of system. In particular it has confirmed thatthesystem is easy to use in practice. Enrolment

is not difficultnortime consuming. Also,although it does depend on thebiometric andhardware,authentication

isquick and reliable.

Even taking into account time for user to insert their electronictoken,we believethis systemis

at least as quick in use aseliciting a username-password pair from the user.

6.

Discussion

We used aninexpensive fingerprint reader and a free SDK

sowe expected the reliability of the fingerprint verification to beproblematic. We were confident that the integration of theelectronic key would eliminate “false positives” allowingaccess to unauthorised users but we did expect that genuineusers would suffer significant numbers of “false negatives”.However, several hundred tests

revealed false negatives

ataround 7% of verifications

(andnot one false positive)fromthe fingerprint softwarewhichmatches findings of otherstudies[10].Of the false negatives, a

significant proportioncan

be attributed toimproper

or careless

finger placement onthe reader

by users. It

seems reasonable to expect that thiswould improve as users become more familiar with theprocedure.

For theelectronic key, ourprototypesystem

uses a USBpendrive andmerely requires that it be

present whenever it isneeded.Itmightbe preferable to replace this witha

form ofmedia which isn’t so readily accessed by users and otherapplications

such as a smart card, but this would necessitatethe addition of suitable hardware. The system shouldalso

insist that the user remove the key(and finger)afterauthentication, thus minimizing the opportunity for an intruderwho has achieved some access to the system to read thecontents of the key.

Theimportantissue herewas

thatwe were able toestablishthat oursystem is no less usableand at least as quick in use asconventionalusername-passwordauthorizationsystems.However, it is significantly more secure

because

it uses acombination of a biometric and an electronictoken and thekeys used to encrypt sensitive data (notably the user’s key) canbe as long asnecessary. None of the keys used in ourimplementation is less than 128bits

which is far in excess ofanything which the user could be expected to commit tomemory.The split of theencrypted information

betweentheremovable token and thesystemmeans that an intruder

whosteals the key or gains access to the system is not able toaccess

users’ keys or

biometric

templates. Should the key belost or compromised,a

user can be re-enrolled into the systemwitha replacement

key

which is different from the lost item;the encryption of the template depends on

thephysicalkey so,even it the replacement template generated by the biometricsoftware were to be exactly the same as the original,the newlycreatedtokenwill be different from the one that is lost. Thelostmediacan be rendered useless by deletion of thecorresponding portions

of the template

and user key ciphertext

from the secured system.

We have used thesystem to controlaccess to a laptop

(andto give demonstrations using a word or phrase of a user’schoosing)

butitcould be applied equally well toanysituationwhereusers username-password schemes are currentlyemployed.In online situations, the parts of the encryptedcipher texts could be stored on removable media in the exactlythe manner described above with the user’s personal computermerely acting as go-between reading the key and biometricdata and passing this on to the secured system using securecommunications techniques. Alternatively, the user’s personalcomputer which could then stand in for(store the data of)theremovable media.In this way, user’s access to a secure onlinesystem could be restricted to logons in which the correctbiometric is presented from the authorised machine. Loss ofthe machine would amount to the loss of the token and wouldnecessitate re-enrolment. A user wishing to use more than one

machine would need to enrol from each.

7.

Conclusion

and future work

Username-password is apoormethod for securing accessto valuable systems or data

because the length of names andpasswords is severely limited by the necessity for them to becommitted to memory by users.Althoughthis and otherweaknessesand widespread abusesare welldocumented,it is

almost universally used andit

presents a

vulnerabilityforattack

by intruders.

Thisworkhas taken widely available,proven technologiesand combined them to produce analternativeauthorisation

system

which uses an electronic key and a biometric incombination.The system proposedeliminates the need for theuser to commit important access information to memory.Instead access is controlled by a combination of the user beingable to satisfy a biometric measurement and produce amatching electronic token.We usedfingerprints for a proof ofconcept implementation becausethe technology involved iswidely available and inexpensive but any biometric could beused.

Features of our system mean thatin the event

of the loss ofanelectronic key, thesystem anddata it protectsremainssafeand thekey

can be replaced.

We believe this system could provide a veryacceptableandconvenient alternative to the current de-facto standard ofusername-password

(or PIN) systems which is

in

use to secure

all kinds of system access, including personal workstations andonline transactions.

8.

References

[1]

A. Adams and M. A. Sasse, "Users Are Not The Enemy,"Communications of the ACM,vol. 42, pp. 40-46, 1999.

[2]

E. Bardram, "The trouble with login: on usability and computersecurity in ubiquitous computing,"Personal and UbiquitousComputing,vol. 9, 2005.